PCI Base 2.0 – Don’t Leave Rogue Detection Up in The Air!

I have been preparing for the PCI DSS 2.0 draft released on October 28th, 2010 which is to be ratified in January of 2011. PCI DSS 2.0 clarifies requirements in many areas.

The draft 2.0 released yesterday has shown that there is little change in wireless recommendations around detecting the presence of rogue wireless access points. Actually the draft adds a little more room for interpretation.

In PCI DSS Draft v2.0, requirement 11.1 states that to be compliant organizations are required to “Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly Basis.” With a note that states, “Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

As we examine this statement it seems to lend itself to more than one option. Perform a quarterly scan with a handheld scanner, rely on physically inspecting connections or implement an always-on wireless IDS/IPS solution. I vote for the latter. Why?

1.) Testing for rogue access on a quarterly basis is just not enough because threats can happen anytime. Detecting these threats should be done on a continuous basis as with all the PCI DSS recommendations. PCI Security Standards Council also agrees based on a whitepaper I found here.

To quote: Successful completion of a system scan or [assessment] for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.”

2.) Port scanning on the wired network is not enough, because it does not recognize “disguised” access points. The use of wired side port scanning requires organizations to go through the compensation control process to seek approval for deviating from the standard. The approval of the compensation control is dependant on who is assessing the solution, so after spending time going through the process it is not guaranteed that the compensation control will be approved. The only true way to identify rogue wireless is access is by monitoring the wireless network.

In June of 2009, the PCI Security Standards Council clarified this by releasing their Information Supplement: PCI DSS Wireless Guideline document found here.

On Page 10 it states “PCI DSS requirement 11.1 clearly specifies the use of a wireless analyzer or a wireless IDS/IPS system for scanning. Relying on wired side scanning tools (e.g. tools that scan suspicious hardware MAC addresses on switches) may identify some unauthorized wireless devices; however, they tend to have high false positive/negative detection rates. Wired network scanning tools that scan for wireless devices often miss cleverly hidden and disguised rogue wireless devices or devices that are connected to isolated network segments.

3.) Physical inspection is just as ineffective, if not more, as port scanning. Wrongdoers do not necessarily need to physically attach to a switch to acquire cardholder data as seen with ad-hoc wireless bridges and evil twin access points. Also, physical inspection will do very little against reconnaissance activities or cracking tools that can lead to denial of service.

4.) I agree that NAC is valuable to have in any wireless environment, but I do not see it as a replacement for wireless IPS/IDS. These two technologies work simultaneously in securing the network. To secure cardholder data leverage a wireless IPS/IDS to detects rogue access points and NAC to assure that the device connected to the network has the proper anti-virus protection level, system update level and configuration.

Even though PCI DSS v1.2 (and soon to be in v2.0) requirement 11.1 does allow users to take more than one approach to detecting rogue access, I think it is clear that quarterly scans, physical inspection and wired side port scanning are ineffective. As you examine your network and look towards ways to meet the new PCI 2.0 compliance, I hope you consider these points when deciding how you will effectively detect rogue access and look towards continuous wireless intrusion protection solutions to meet this requirement.

If you want to find out how to properly secure your network with continuous wireless intrusion protection and also adhere to PCI compliance guidelines check out the Cisco PCI Compliance page.

For more information on the newly released PCI DSS v2.0, read Jason Lackey’s blog here.

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.